Nitro Cloud Security Policy and Infrastructure

I. Overview

What this security policy covers

Nitro Cloud uses the latest technology to ensure your data and company operational activities are safe and private. Feel safe knowing you and only you control access to your data. Your data is protected through a sophisticated combination of permission structure, authentication procedures, security firewalls, and SSL encryption. Nitro software and servers are designed to be highly secure both against malicious attacks as well as other types of breaches.

Nitro Cloud security functions on various levels to address each layer of access—from logging into the system to guarding the hardware and equipment storing your data. This document describes the security measures that Nitro takes to ensure that the information and data from your business transactions remains private and secure.

Provide better protection for your data than in-house systems or paper filed with an inherent back-up for your operational data.

Lower the total cost of ownership and maintenance by including the security framework as part of the application without additional hardware or software.

Maintain complete control of usage and explicitly authorize any visibility to your data in Nitro Cloud.

Eliminate confusion by providing only application modules, actions and data relevant to the user’s job function.

Provide third party organizations in your network visibility to accurate, real-time data within Nitro Cloud without compromising data integrity.

II. Security Framework

A. Physical Security

The Nitro Cloud service hardware, meaning all networking components, servers and machines are physically secure, configured redundantly and adhere to disaster recovery protocols.

Co-Location Environment

The Nitro service is hosted in first level, telecom grade facilities, located in California. These facilities have secured physical access 24 hours a day, 7 days a week. The facility has continuous presence of security guards and all its entrances are further protected with biometric, palm print, picture identification security and closed-circuit television (CCTV). Only a restricted number of employees have direct access to the server hardware and all their visits are screened, identified and recorded for audits.

This facility is served by redundant power electrical generators, redundant data center air conditioners, and other backup equipment designed to network access for both the operational servers as well as their security systems continually up and running.

Reliability and Backup

All networking components, SSL accelerators, load balancers, Web servers, and application servers are configured in a redundant configuration. All customer data is stored on a database served by a database server cluster for redundancy. All customer data is stored on carrier-class disk storage using RAID disks and multiple data paths. All customer data, up to the last committed transaction, is automatically backed up. Backups are encrypted, verified for their integrity and replicated.

B. Network and Server Security

Nitro employs several best practices to ensure that as a software service delivered on demand via the Internet, the network and Web servers are secure.

Inside of the perimeter firewalls, the internal network utilizes a set of security barriers like address translation, port redirection, non-routable IP addressing schemes, masquerading to further protect the data. The data itself is protected by multiple security layers, unreachable by the firewall or any other external-facing device. The specific details of the network design itself are proprietary for security reasons.

Operating System Security

Nitro Cloud enforces tight operating system-level security by using a minimal number of access points to all production servers. We protect all operating system accounts with strong passwords, and production servers do not share a master password database. All operating systems are maintained at each vendor’s recommended patch levels for security and are hardened by disabling and/or removing any unnecessary users, protocols, and processes. All servers are continuously monitored to ensure optimal performance and to detect any problems, including those that could be caused by a possible intrusion. Any such problem is sent by pager to an operations engineer, who is on call 24 hours a day, 7 days a week.

Server Management Security

All data entered into Nitro Cloud by a customer is owned by that customer. The network where your data resides is separate from our own corporate network. Even our development and quality assurance work is performed on a different workspace than the production servers. Nitro employees do not have access to the Nitro Cloud production equipment, except where necessary for system management, maintenance, monitoring, and backups. This access is granted only to those that have direct responsibility to maintain the Nitro servers with a separate set of user names and passwords to access it. Nitro Cloud does not currently utilize any managed service providers. The Nitro Cloud systems engineering team provides all system management, maintenance, monitoring and backups.

C. Application Security

Nitro Cloud customers can be assured that their usage of the application itself to manage their day to day operations is secure. Nitro utilizes state of the art technology to ensure the application and your data is safe.

Application Security

The Nitro Cloud application can only be accessed via high strength, 128-bit encryption or greater. This type of encryption is identical to what banking systems use. This encryption applies not only to user names and passwords, but to all the data that goes in and out of the system, either to a user interface, or through one of the integrations to external applications.

Nitro Cloud makes very limited use of cookies on your browser (Cookies are small pieces of information that get stored on your computer). These are only used to make your usage of the application better and more efficient. We do not use cookies to track any activity or collect any information other than what is used to interact with Nitro.

Data Encryption

Nitro Cloud uses the strongest encryption products to protect customer data and communications, including 256-bit DigiCert SSL Certification and 2048-bit RSA public keys. All user data is encrypted at rest.

User Authentication

Nitro’s robust application security model prevents one Nitro Cloud customer from accessing another's data. This security model is reapplied with every request and enforced for the entire duration of a user session. An encrypted session ID cookie is used to uniquely identify each user.

User Passwords

To access Nitro Cloud, users are required to enter a valid username and password combination which is encrypted via SSL while in transmission. Users are prevented from choosing weak or obvious passwords. Nitro requires high strength passwords (a combination of letters, and symbols). These passwords are stored in the database in an encrypted form. The encryption used for these passwords is a “one way” encryption, meaning that once encrypted, they cannot be decrypted. Not even our own employees and database administrators can guess or access your passwords. Nitro will never initiate a communication via e-mail or any other means to ask for a password. The only place where you will need your Nitro password is to access the application. In addition, users are instructed not to distribute or share their passwords.

D. User Roles and Permissions

While application security addresses keeping data confidential for each customer, roles and permissions address keeping data secure within a company with multiple users. A company administrator determines which users can view or edit records of various types.

Customer data contains sensitive information and each customer wants the ability to implement various levels of visibility for users and business partners. A security framework to enable customers to segment data based on a variety of criteria such as roles and permissions, organization type, or specific data fields is a base level requirement for any enterprise software. Nitro Cloud has a robust, flexible security infrastructure to allow customers to manage user and business affiliate security levels, create custom role and privilege packages, and prevent/grant visibility to operational or administrative data.

User Management

As a responsible administrator for your business, you can decide to activate and deactivate the users of Nitro Cloud, or give them “expiration dates” so that certain users will not be able to log on until you decide to reassign them access. This includes business affiliates or partners that conduct transactions in Nitro Cloud on your behalf, or the customers you grant access to in order for them to see the data pertaining to them. For each user, you will be able to assign roles to determine their access and permission levels.

Data Access Management

Data access refers to the ability of the system to restrict access to certain data based on the relationship of the user to that data. This is especially important when inviting multiple third parties into your network. With data access management, you can allow users a view of specific documents based on the assigned permissions.

Activity Audit Trails

To help with transaction histories or data management issues, an audit trail records the history of each transaction and every change made to the system along with the user that made the change and the timestamp.

E. Data Ownership and Database Security

All the data that you trust to Nitro Cloud remains your exclusive property. While Nitro will access the data as required to maintain operation of the system, it will only use the data as aggregates and never individually identify its source.

Each level is more restrictive than the previous one and only a very limited set of operational engineers have access to the database passwords. Whenever possible, database access is controlled at the operating system and database connection level for additional security. Access to production databases is restricted to a limited number of points, and production databases do not share a master password database.